The OSSRH Guide walks you through the required
process of setting up the account with Sonatype. It’s as simple as
creating a Sonatype's JIRA account and then a
New Project ticket. When creating the account, try to
use the same domain in your email address that the project is hosted on.
It makes it easier for Sonatype to validate the relationship with the groupId requested in
the ticket, but it is not the only method used to confirm the ownership.

Creation of the New Project ticket is as simple as:

providing the name of the library in the ticket’s subject,

naming the groupId for distributing the library (make sure
it matches the root package of your code). Sonatype provides
additional hints on choosing the right groupId for publishing your library in
Choosing your coordinates guide.

providing the SCM and Project URLs to the source code and homepage of the
library.

After creating your Sonatype account on JIRA, you can log in
to the Nexus Repository Manager using the same credentials,
although this is not required in the guide, it can be helpful later to check
on published artifacts.

Note: Sonatype advises that responding to a New Project ticket might
take up to two business days, but in my case it was a few minutes.

SBT setup

To address Sonatype’s requirements for publishing to the central repository and to simplify the publishing process, you can
use two community plugins. The sbt-pgp plugin can sign the files with GPG/PGP
and sbt-sonatype can publish to a Sonatype repository.

First - PGP Signatures

With the PGP key you want to use, you can sign the artifacts
you want to publish to the Sonatype repository with the sbt-pgp plugin. Follow
the instructions for the plugin and you’ll have PGP signed artifacts in no
time.

In short, add the following line to your ~/.sbt/1.0/plugins/gpg.sbt file to
enable it globally for SBT projects:

addSbtPlugin("com.jsuereth" % "sbt-pgp" % "1.1.0-M1")

Note: The plugin is a jvm-only solution to generate PGP keys and sign
artifacts. It can also work with the GPG command line tool.

If you don’t have the PGP keys to sign your code with, one of the ways to
achieve that is to install the GNU Privacy Guard and:

use it to generate the keypair you will use to sign your library,

publish your certificate to enable remote verification of the signatures,

make sure that the gpg command is in PATH available to the sbt,

add useGpg := true to your build.sbt to make the plugin gpg-aware

PGP Tips’n’tricks

If the command to generate your key fails, execute the following commands and
remove the displayed files:

Note: The first two strings must be "Sonatype Nexus Repository Manager"
and "oss.sonatype.org" for Ivy to use the credentials.

Now, we want to control what’s available in the pom.xml file. This
file describes our project in the maven repository and is used by
indexing services for search and discover. This means it’s important
that pom.xml should have all information we wish to advertise as well
as required info!

First, let’s make sure no repositories show up in the POM file. To
publish on maven-central, all required artifacts must also be hosted
on maven central. However, sometimes we have optional dependencies for
special features. If that’s the case, let’s remove the repositories for
optional dependencies in our artifact:

pomIncludeRepository := { _ => false }

To publish to a maven repository, you’ll need to configure a few
settings so that the correct metadata is generated.
Specifically, the build should provide data for organization, url,
license, scm.url, scm.connection and developer keys. For example:

Note: the sbt-sonatype plugin can also be used to publish to other non-sonatype
repositories

Publishing tips’n’tricks

Use staged releases to test across large projects of independent releases
before pushing the full project.

Note: An error message of PGPException: checksum mismatch at 0 of 20
indicates that you got the passphrase wrong. We have found at least on
OS X that there may be issues with characters outside the 7-bit ASCII
range (e.g. Umlauts). If you are absolutely sure that you typed the
right phrase and the error doesn’t disappear, try changing the
passphrase.

Fourth - Integrate with the release process

Note: sbt-release is a third-party plugin meaning it is not covered by Lightbend subscription.

To automate the publishing approach above with the sbt-release plugin, you should simply add the publishing commands as steps in the
releaseProcess task: